article

Symbolic execution with abstraction

Authors:

Corina S. PăźSăźReanu,

Willem VisserAuthors Info & Claims

International Journal on Software Tools for Technology Transfer (STTT), Volume 11, Issue 1

Pages 53 - 67

Published: 01 February 2009 Publication History

Abstract

We address the problem of error detection for programs that take recursive data structures and arrays as input. Previously we proposed a combination of symbolic execution and model checking for the analysis of such programs: we put a bound on the size of the program inputs and/or the search depth of the model checker to limit the search state space. Here we look beyond bounded model checking and consider state matching techniques to limit the state space. We describe a method for examining whether a symbolic state that arises during symbolic execution is subsumed by another symbolic state. Since the number of symbolic states may be infinite, subsumption is not enough to ensure termination. Therefore, we also consider abstraction techniques for computing and storing abstract states during symbolic execution. Subsumption checking determines whether an abstract state is being revisited, in which case the model checker backtracks--this enables analysis of an under-approximation of the program behaviors. We illustrate the technique with abstractions for lists and arrays. We also discuss abstractions for more general data structures. The abstractions encode both the shape of the program heap and the constraints on numeric data. We have implemented the techniques in the Java PathFinder tool and we show their effectiveness on Java programs. This paper is an extended version of Anand et al. (Proceedings of SPIN, pp. 163---181, 2006).

References

[1]

Anand, S., Orso, A., Harrold, M.J.: Type-dependence analysis and program transformation for symbolic execution. In: Proceedings of TACAS, pp. 117---133 (2007)

[2]

Anand, S., Pasareanu, C.S., Visser, W.: Symbolic execution with abstract subsumption checking. In: Proceedings of SPIN, pp. 163---181 (2006)

Digital Library

[3]

Anand, S., Pasareanu, C.S., Visser, W.: JPF-SE: a symbolic execution extension to Java Pathfinder. In: Proceedings of TACAS, pp. 134---138 (2007)

[4]

Ball, T.: A theory of predicate-complete test coverage and generation. MSR-TR-2004-28 (2004)

[5]

Ball, T., Kupferman, O., Yorsh, G.: Abstraction for falsification. In: Proceedings of CAV, pp. 67---81 (2005)

Digital Library

[6]

Ball, T., Rajamani, S.K.: The SLAM toolkit. In: Proceedings of CAV, pp. 260---264 (2001)

[7]

Chaki S., Clarke E., Groce A., Jha S., Veith H.: Modular verification of software components in C. ACM Trans. Comput. Syst. 30(6), 388---402 (2004)

[8]

Dams, D., Namjoshi, K.S.: Shape analysis through predicate abstraction and model checking. In: Proceedings of VMCAI, pp. 310---324 (2003)

[9]

Flanagan, C., Qadeer, S.: Predicate abstraction for software verification. In: Proceedings of POPL, pp. 191---202 (2002)

Digital Library

[10]

Flyod, R.W.: Assigning meanings to programs. In: Proceedings of symposia in applied mathematics, vol. 19, pp. 19---32 (1967)

[11]

Ghiya, R., Hendren, L.J.: Is it a tree, a DAG, or a cyclic graph? a shape analysis for heap-directed pointers in c. In: Proceedings of POPL, pp. 1---15 (1996)

[12]

Godefroid, P., Klarlund, N., Sen, K.: DART: Directed automated random testing. In: Proceedings of PLDI, pp. 213---223 (2005)

Digital Library

[13]

Gopan, D., DiMaio, F., Dor, N., Reps, T., Sagiv, M.: Numeric domains with summarized dimensions. In: Proceedings of TACAS, pp. 512---529 (2004)

[14]

Gopan, D., Reps, T., Sagiv, M.: A framework for numeric analysis of array operations. In: Proceedings of POPL, pp. 338---350 (2005)

Digital Library

[15]

Henzinger, T.A., Jhala, R., Majumdar, R., Sutre, G.: Software verification with BLAST. In: Proceedings of SPIN, pp. 235---239 (2003)

[16]

Holzmann, G.J., Joshi, R.: Model-driven software verification. In: Proceedings of SPIN, pp. 76---91 (2004)

[17]

Java PathFinder. http://javapathfinder.sourceforge.net

[18]

Khurshid, S., Pă'să?reanu, C., Visser, W.: Generalized symbolic execution for model checking and testing. In: Proceedings of TACAS, pp. 553---568 (2003)

[19]

Khurshid, S., Suen, Y.: Generalizing symbolic execution to library classes. In: Proceedings of PASTE, pp. 103---110 (2005)

Digital Library

[20]

King J.C.: Symbolic execution and program testing. Commun. ACM 19(7), 385---394 (1976)

Digital Library

[21]

Kuncak, V., Rinard, M.: Existential heap abstraction entailment is undecidable. In: Proceedings of SAS, pp. 418---438 (2003)

[22]

Manevich, R., Yahav, E., Ramalingam, G., Sagiv, M.: Predicate abstraction and canonical abstraction for singly-linked lists. In: Proceedings of VMCAI, pp. 181---198 (2005)

Digital Library

[23]

Pă'să?reanu, C., Visser, W.: Verification of Java programs using symbolic execution and invariant generation. In: Proceedings of SPIN, pp. 164---181 (2004)

[24]

Pă'să?reanu C.S., Dwyer M.B., Visser W.: Finding feasible abstract counter-examples. STTT 5(1), 34---48 (2003)

Digital Library

[25]

Pă'să?reanu, C.S., Pelánek, R., Visser, W.: Concrete model checking with abstract matching and refinement. In: Proceedings of CAV, pp. 52---66 (2005)

[26]

Pugh, W.: The Omega test: a fast and practical integer programming algorithm for dependence analysis. Commun. ACM, 31(8), August (1992)

[27]

Sagiv S., Reps T.W., Wilhelm R.: Parametric shape analysis via 3-valued logic. ACM Trans. Program. Lang. Syst. 24(3), 217---298 (2002)

Digital Library

[28]

Sen, K., Marinov, D., Agha, G.: CUTE: a concolic unit testing engine for C. In: Proceedings of ESEC/SIGSOFT FSE, pp. 263---272 (2005)

Digital Library

[29]

Visser W., Havelund K., Brat G., Park S.J., Lerda F.: Model checking programs. Autom Softw Eng J 10(2), 203---232 (2003)

[30]

Xie, T., Marinov, D., Schulte, W., Notkin, D.: Symstra: a framework for generating object-oriented unit tests using symbolic execution. In: Proceedings of TACAS, pp. 365---381 (2005)

Digital Library

[31]

Yavuz-Kahveci, T., Bultan, T.: Automated verification of concurrent linked lists with counters. In: Proceedings of SAS, pp. 69---84 (2002)

Cited By

Garfatta IKlai KGraïet MGaaloul WHong JBures MPark JCerny T(2022)Model checking of vulnerabilities in smart contractsProceedings of the 37th ACM/SIGAPP Symposium on Applied Computing10.1145/3477314.3507309(316-325)Online publication date: 25-Apr-2022
https://dl.acm.org/doi/10.1145/3477314.3507309
Abyaneh AKirsch CGrundy J(2021)ASEProceedings of the 36th IEEE/ACM International Conference on Automated Software Engineering10.1109/ASE51524.2021.9678584(203-214)Online publication date: 15-Nov-2021
https://dl.acm.org/doi/10.1109/ASE51524.2021.9678584
Semeráth OBabikian ALi AMarussy KVarró DSyriani ESahraoui H(2020)Automated generation of consistent models with structural and attribute constraintsProceedings of the 23rd ACM/IEEE International Conference on Model Driven Engineering Languages and Systems10.1145/3365438.3410962(187-199)Online publication date: 16-Oct-2020
https://dl.acm.org/doi/10.1145/3365438.3410962
Show More Cited By

Recommendations

Theoretical aspects of compositional symbolic execution
FASE'11/ETAPS'11: Proceedings of the 14th international conference on Fundamental approaches to software engineering: part of the joint European conferences on theory and practice of software

Given a program and an assertion in that program, determining if the assertion can fail is one of the key applications of program analysis. Symbolic execution is a well-known technique for finding such assertion violations that can enjoy the following ...
Symbolic execution with abstract subsumption checking
SPIN'06: Proceedings of the 13th international conference on Model Checking Software

We address the problem of error detection for programs that take recursive data structures and arrays as input. Previously we proposed a combination of symbolic execution and model checking for the analysis of such programs: we put a bound on the size ...
Sound Gradual Verification with Symbolic Execution

Gradual verification, which supports explicitly partial specifications and verifies them with a combination of static and dynamic checks, makes verification more incremental and provides earlier feedback to developers. While an abstract, weakest ...

Comments

Information & Contributors

Information

Published In

cover image International Journal on Software Tools for Technology Transfer (STTT)

International Journal on Software Tools for Technology Transfer (STTT) Volume 11, Issue 1

February 2009

78 pages

ISSN:1433-2779

EISSN:1433-2787

Issue’s Table of Contents

Copyright © Copyright © 2009 Springer-Verlag.

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 01 February 2009

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

19
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 11 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Garfatta IKlai KGraïet MGaaloul WHong JBures MPark JCerny T(2022)Model checking of vulnerabilities in smart contractsProceedings of the 37th ACM/SIGAPP Symposium on Applied Computing10.1145/3477314.3507309(316-325)Online publication date: 25-Apr-2022
https://dl.acm.org/doi/10.1145/3477314.3507309
Abyaneh AKirsch CGrundy J(2021)ASEProceedings of the 36th IEEE/ACM International Conference on Automated Software Engineering10.1109/ASE51524.2021.9678584(203-214)Online publication date: 15-Nov-2021
https://dl.acm.org/doi/10.1109/ASE51524.2021.9678584
Semeráth OBabikian ALi AMarussy KVarró DSyriani ESahraoui H(2020)Automated generation of consistent models with structural and attribute constraintsProceedings of the 23rd ACM/IEEE International Conference on Model Driven Engineering Languages and Systems10.1145/3365438.3410962(187-199)Online publication date: 16-Oct-2020
https://dl.acm.org/doi/10.1145/3365438.3410962
Fragoso Santos JMaksimović PSampaio GGardner P(2019)JaVerT 2.0: compositional symbolic execution for JavaScriptProceedings of the ACM on Programming Languages10.1145/32903793:POPL(1-31)Online publication date: 2-Jan-2019
https://dl.acm.org/doi/10.1145/3290379
Santos JMaksimović PGrohens TDolby JGardner PSabel DThiemann P(2018)Symbolic Execution for JavaScriptProceedings of the 20th International Symposium on Principles and Practice of Declarative Programming10.1145/3236950.3236956(1-14)Online publication date: 3-Sep-2018
https://dl.acm.org/doi/10.1145/3236950.3236956
Baldoni RCoppa ED’elia DDemetrescu CFinocchi I(2018)A Survey of Symbolic Execution TechniquesACM Computing Surveys10.1145/318265751:3(1-39)Online publication date: 23-May-2018
https://dl.acm.org/doi/10.1145/3182657
Vidal G(2015)Symbolic execution as a basis for termination analysisScience of Computer Programming10.1016/j.scico.2015.01.007102:C(142-157)Online publication date: 1-May-2015
https://dl.acm.org/doi/10.1016/j.scico.2015.01.007
Li YCheung SZhang XLiu Y(2014)Scaling Up Symbolic Analysis by Removing Z-Equivalent StatesACM Transactions on Software Engineering and Methodology10.1145/265248423:4(1-32)Online publication date: 5-Sep-2014
https://dl.acm.org/doi/10.1145/2652484
Yang GPerson SRungta NKhurshid S(2014)Directed Incremental Symbolic ExecutionACM Transactions on Software Engineering and Methodology10.1145/262953624:1(1-42)Online publication date: 7-Oct-2014
https://dl.acm.org/doi/10.1145/2629536
Yang GKhurshid SPerson SRungta NJalote PBriand LHoek A(2014)Property differencing for incremental checkingProceedings of the 36th International Conference on Software Engineering10.1145/2568225.2568319(1059-1070)Online publication date: 31-May-2014
https://dl.acm.org/doi/10.1145/2568225.2568319
Show More Cited By

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Issue’s Table of Contents